| |
|
Tuesday, January 7, 2003
|
|
OASIS
Members Form Technical Committee to Advance PKI Adoption for Secure
Transactions
Boston, MA, USA; 7 January 2003 -- The OASIS standards consortium
has organized a new technical committee to advance adoption of the
Public-Key Infrastructure (PKI) for Web services and other applications.
PKI serves as a foundation to enable secure e-business transactions.
The new technical committee has been created within the OASIS PKI
Member Section, a group formed as a result of the recent transition of
the advocacy group, PKI Forum, to OASIS.
"PKI and digital certificates have
become key components of identity-related security services," said John
Sabo of Computer Associates, vice chair of the OASIS PKI Technical
Committee. "We expect the Technical Committee to cover a broad range of
business and technical issues and address the practical use of PKI in
support of high trust applications on the Web and in other networked
environments."
11:04:39 AM 
|
|
Liberty Alliance: Majority of members plan to implement in 2003. The Liberty Alliance released an announcement this morning saying that a recent survey of its membership indicated a majority of founder- and sponsor-level members polled said they plan to implement the Liberty version 1.1 specifications within the year. The Alliance also announced 22 new members, bringing the total Alliance membership base to 150 organizations.
"Last year was very productive for the Alliance - we began our work in January 2002, launched the version 1.0 specifications in July, issued version 1.1 for public review in November and are moving forward toward releasing a draft of version 2.0 within the first half of this year," said Michael Barrett, president of the Liberty Alliance Management Board. "Now we are seeing additional progress on the implementation front. Of course the technology vendors are the first-movers, but we're also beginning to hear more from customer-facing organizations planning to use Liberty-enabled products and services."
In addition, SourceID, an open source development community sponsored by Ping Identity Corporation, announced the early January release of its open source Liberty v1.1 Protocol Single Sign-on Toolkit for Java. [Scott Loftesness]
Liberty Alliance foreshadows products, services. Web services group identifies 22 new members [InfoWorld: Top News]
8:04:05 AM
|
|
From [The Doc Searls Weblog]
I met my friend Judi when she became
the first human being, ever, to respond affirmatively when I uttered
"markets are conversations" in a public place. (It was at PC Forum, many
years ago.) That started a
rather major ball rolling. And now Judi has a blog, which she has
inaugurated with fresh
thoughts about identity that ring true:
There are a few folks (Doc,Mitch, Eric N,
with several others; one place to start is Doc's)
carrying on about identity, mostly of the digital variety. Identity, it
was reported,
falls into three "tiers:" assumed/personal, assigned/commercial, and
abstracted/aggregate/marketing.
I see, but I don't agree. Identity is different from reputation:
reputation is outside looking in, identity is inside looking out. The
second and third tiers are really reputations of a commercial sort. The
second tier, assigned, arises as a result of an agreement between two
entities (e.g., a person and a store). The third tier, abstracted, is a
generalized, functional sort relative to aspects that the owner/utilizer
group wants to see. We don't get to "own" our personas in either tier;
rather we make an agreement by use of services or goods (like shopping
carts &/or or credit cards) to be represented, abstracted, and
relationalized.
Calling them digital identities is a bit of a misnomer. More truly
we are creating digital reputations, for our identity may or may not
align, and in fact our personal identity may not even be the only one
adding to our digital reputation. (What happens when our "digital ID" is
stolen?)
Ok then. My identity has several parts (as I see it): I am
not happy about our current politics, I hate commercials (why do
advertisers treat me as if I were Stooopid?), I've been poor too long. I
have no respect for liers, personal or corporate. I still don't know
what fires my soul. I want to donate my organs when I die. Exactly how
many of these bits do I think are appropriately represented by my
corporate reputations? Zero. They can't even categorize the stores I
shop in properly. But that goes to my reputation.
I reallly like the inside-out vs. outside-in stuff.
"Identity is different from reputation: reputation is outside
looking in, identity is inside looking out. The second and third tiers
are really reputations of a commercial sort." Well that pretty well
ties to my previous point. What is defined here as identity is the sense of self
(persona, "distinct personality") while reputation is credentialling in its
loosest sense of relying on collective judgment.
While markets are conversations, not all conversations are markets.
While some conversations may require nothing beyond the parties
presenting/asserting persona, most conversations between two or more
parties will require some fashion of credentialled authentication of
each party. How we manage those is what I think of as identity management. Credentials
come in many flavors: vouched for by a mutual friend or something more
formal such as a license (driver license, business license,
professional license) or a certificate (flight school, MBA, driver
safety class) or a defined role/relationship (marriage license, birth
certificate, naturalization papers, employment, credit card, land
title).
Suppose I have a child with a medical problem. Consider the variety of
credentials I need to have (and that I'll require others to have) as I
have various online conversations about that medical problem with my
employer, my insurance company, my child's doctor, the pharmacy, the
school, friends,.... How do the needs of those conversations fit with
this dialog on identity?
6:18:01 AM
|
|
Doc Searls and others have been
noodling on an idea of 3 tiered identity as the way to arrive at
"identity management." I find the discussion confusing.
One aspect seems to build on the idea of the Internet being a
collection of connected points. I get that. Cyberspace is connecting
"here" to "there" with nothing in between. But there seems to be an
expectation that "there" will be a vendor - that the interactions are
commercial and any problems with "identity" are about who "owns" that
identity - the person or the vendor. This leads to a debate about
"identity" as a property right (is identity owned/controlled by identee
or identor?).
Sometimes the conversation about identity overlaps two definitions of
identity - 1) "the distinct personality of an individual regarded as a
persisting entity" and 2) "the collective aspect of the set of
characteristics by which a thing is recognizable or known."
We may "own" our distinct personality but when we "transact," we dive
into identity as the collective, recognizable set of characteristics
known separately as "me" and "you" and "vendor X." In fact, at birth we
are cast into the collective aspect. We are defined by "mother" and the
community we are born into. That's what a birth certificate
commemorates - this is "me" - who has this woman as "mother" - who gave
birth to me in this location - which defines aspects of
citizenship/community.
That may define the core "identity" but what seems to be commonly
discussed as "identity management" is a larger collective aspect of
characteristics - the credentials, roles, relationships that festoon
that core identity. We can claim ownership of our birth certificate all
we wish but the everyday interactions (online or offline) involve more
than that. My credit card is a credential defining the
roles/relationship between me and my credit card issuer - which is
recognized/verified by various vendors. My driver license is a
credential defining the roles/relationship between me and my Motor
Vehicle Department - which is recognized/verified by various commercial
and non-commercial parties. When I chat with my doctor, I assume those
credentials on the wall are real and someone verified them (that I'm
talking to someone who knows what they are talking about). If we move
the chat online, I still want 1) to know that is my doctor who 2) has
real credentials from sources that I could verify if I wished and 3)
those credentials were really verified by someone I trust (doc is
licensed). When that doctor writes a prescription for me, the pharmacy
needs some trust in that being a real doctor who is my doctor and that
I'm the patient the prescription is for. Online or offline, many
"transactions" are not just between two end points - they are a dance
among several parties requiring various credentials (collective
agreement on credible characteristics) and often we use different
credentials for different parts of the transaction. If I were to go to
an online pharmacy, I would have to authenticate myself to their system
(myPharmID), submit a prescription from my doctor (authenticate doctor
to them in a way that links my doc's DocID to me and to doc's
doc-licensed-to-prescribe-in-my-jurisdictionID) for a drug described in
a standard way (drugID), I submit my InsuranceID which triggers a
partial payment while I pay the balance with my VisaID. And myPharmID
associates me with a secure physical address (e.g. PO Box), the VisaID
might be to an electronic billing address while my doc will likely want
my where-I-live address as well as an InsuranceID address and
electronic billing address.
One of the recent conversations was about the "policy" issues that need
to follow the "protocol" issues. I would argue the "policy" issues come
first. We have so many flavors of relationships - parent/child/sibling,
employee/employer, expert/one-seeking-expertize, customer/vendor,
citizen/country-state-city, teacher/student. We grow up learning to
intuit who to trust with what. We can't intuit how to trust those we
don't know. We rely on webs of trust. And when those webs become
impersonal/unknown we rely on policy. Policy as collectively defined
protocols establishing "the collective aspect of the set of
characteristics by which a thing is recognizable or known."
I'm thinking we need to back up and think about what needs to work before we think
about how it needs to work.
Flavors of relationships with layers of trust - somehow it feels like
more than 3 tiers. One might even argue that the concerns about the 3rd
tier come from not having collectively agreed policy for the 2nd tier -
that much of the "theirID" comes from leaks in the "ourID" due to
inadequate policy leading to incomplete protocols.
Just my two cents.
meanwhile....
Speaking
of Ourdentity.
I still think we need language that describes identity
in terms of property. People are not going to understand the extent of
the Bush Administration's plundering of civil rights until we connect
the abstract notion of identity in terms of property, as in "You don't
have the right to take that away from me, Mr. President."
He's referring to "Theirdentity," which
is my term for Tier 3 identities, which mostly consist of junk mail and
other spam lists that make a bet that there's a one-in-something chance
you're a fish that will rise to their bait. Property is a relevant
issue with this one, because when real realationships develop between
Tier 1 (Mydentity) demand and Tier 2 (Ourdentity) supply, the lack of
relationships between Me and Them (Mydentity and Theirdentity) becomes
fully exposed. And what gets most exposed is the lack of
permission They (those T3 marketers) have about mailing people crap
without permission. ( Andre explains
the three tiers here.) Permission is the key. And that's all
about property, no?
Here's the kicker: When you embed Creative Commons-type
permissions in Mydentities, and Mydentities become ubiquitious (because
they're based on open Net-native protocols, standards, file formats,
APIs, etc. [~] and are carried with each of us on our smart credit cards,
in our email signatures, in the business transactions that not only
allow but welcome it), Tier 3 Theirdentities go away for the simple
reason that they are not permitted and quickly become obsolete.
Bryan Field-Elliot has been
telling us, eloquently, against the current of anti-DRM hostility
that most of us feel around here (especially me), that Digital Identity
necessarily involves DRM. With that in mind, I think the point I'm
making here is that DIM [~] Digital Identity Management [~] is the
customer-side, the demand-side, reciproal of DRM. It's what DRM needs to
really work, and not just to enforce, which is its legacy purpose. And
by "work" I mean create and sustain relationships. Some of those
relationships will consist of choices NOT to get crap from people we
don't know, and about products and services we don't care about.
As Bryan
says,
...once the protocols are designed (with Liberty being
good first steps), and once the software is widely deployed (in the
usual ways such as server-side, as well as to-be-explored ways such as
rich client-side), then we'll be left with a whole new social
tug-of-war over which kinds of credentials are accepted where, and
when. It will be a can of worms, tug of war, take your pick of
metaphors, but the one thing it will no longer be, is a software or
protocol problem.
Whatever else the outcome may be, the
losers will be the pure Tier 3 players, starting with spammers.
[The Doc Searls Weblog]
4:21:07 AM
|
|
|
© Copyright 2006 Russ Savage.
Last update: 5/8/06; 9:03:47 PM.
|
|
|
